b'                       Management Information Report\n\n       Weaknesses in RRB Controls for Protecting Social Security Numbers\n\n                      Report No. 02-05, February 13, 2002\n\n\n\n                                    INTRODUCTION\n\n\nThis Management Information Report presents serious control weaknesses related to\nthe protection of Social Security Numbers (SSN) and other sensitive information. This\nsituation was noted during the initial stage of an Office of Inspector General (OIG)\nreview of the Railroad Retirement Board\xe2\x80\x99s (RRB) Controls Over the Access, Disclosure\nand Use of SSNs by Third Parties. Due to the sensitive nature of data that has been left\nunsecured and subject to unauthorized disclosure, this situation is being brought to the\nRRB\xe2\x80\x99s attention for immediate corrective action.\n\nBACKGROUND\n\nThe RRB is an independent agency in the executive branch of the Federal government.\nThe RRB\xe2\x80\x99s primary function is to administer comprehensive retirement-survivor and\nunemployment-sickness benefit programs for the nation\xe2\x80\x99s railroad workers and their\nfamilies. These benefits are provided under the Railroad Retirement Act (RRA) and the\nRailroad Unemployment Insurance Act (RUIA).\n\nDuring fiscal year 2000, the RRB paid retirement-survivor benefits to approximately\n724,000 beneficiaries. The RRB also paid unemployment and sickness benefits to\n35,000 individuals qualifying under the RUIA.\n\nDue to concerns related to perceived widespread sharing of personal information and\noccurrences of identity theft, Congress asked GAO to study how and to what extent\nFederal, state and local government agencies use individuals\xe2\x80\x99 SSNs and how these\nentities safeguard records or documents containing those SSNs.\n\nThe expanded use of the SSN as a national identifier provides a tempting motive for\nmany unscrupulous individuals to acquire a SSN and use it for illegal purposes. While\nno one can fully prevent SSN misuse as currently administered, Federal agencies have\na responsibility to limit the risk of unauthorized disclosure of SSN information. To that\nend, the Chairman of the House Ways and Means Subcommittee on Social Security\nasked the Social Security Administration (SSA) OIG and the President\xe2\x80\x99s Council on\nIntegrity and Efficiency (PCIE) to look across government at the way Federal agencies\ndisseminate and control the SSN.\n\nAs a result of this request, the PCIE is coordinating reviews of controls over the access,\ndisclosure and use of SSNs by several agencies. Our office is participating in this joint\nproject and has opened an audit at the RRB. The audit is in its initial stages and this\nreport presents the results of only the initial security testing.\n\x0cOBJECTIVE, SCOPE AND METHODOLOGY\n\nThe objective of the OIG\xe2\x80\x99s audit is to assess the RRB\xe2\x80\x99s controls over the access,\ndisclosure, and use of SSN information by third parties.\n\nThe initial testing included security checks to determine if RRB employees are creating\na risk for unauthorized disclosures by discarding documents containing SSNs and other\nsensitive data in trash cans in their work areas or in trash containers in the elevator\nhallways. The auditors also looked for RRB documents containing SSNs left\nunattended in the elevator hallways.\n\nOIG auditors performed the security checks by visiting the elevator lobby areas and\nassociated hallways on each floor of the RRB\xe2\x80\x99s headquarters building in Chicago,\nIllinois and inspecting documents in storage containers, trash containers and trash\nbags. The security checks were performed between 3:00 p.m. and 4:00 p.m. and again\nbetween 4:30 p.m. and 5:30 p.m. on January 24, 2002.\n\n\n                                 RESULTS OF REVIEW\n\n\nSecurity tests reflect that the RRB is not adequately protecting SSNs and other\nsensitive information from unauthorized disclosures. Documents containing SSNs and\nother sensitive information were observed in storage containers, unlocked trash\ncontainers and in trash bags located in the elevator lobbies on seven different floors of\nthe building. Attachment A identifies the specific floors where these documents were\nobserved. The following paragraphs provide additional information on this situation.\n\nSeveral storage containers (boxes and tubs) containing hundreds, or thousands, of\nRRB documents including claim folders with the names and SSNs of RRB customers\nwere left unattended in the elevator lobby areas of the RRB headquarters building.\nThese documents were discovered on four different floors of the building (3rd, 5 th, 7th\nand 11th floors).\n\nRRB employees\xe2\x80\x99 also discarded documents containing names, addresses, SSNs,\nand/or dates of birth in trash containers in the elevator lobby areas. These documents\nwere discovered on three different floors of the building (4th, 5th and 11th floors). In\nsome instances, locked trash containers were available and labeled \xe2\x80\x9cSHREDDING\nCONTAINER for Privacy Act Materials ONLY.\xe2\x80\x9d One of these containers had a padlock\nbut it was left unlocked. Documents containing SSNs and other sensitive data were in\nthis container. Containers on other floors either did not contain locks or were not\ndesigned to be locked. One of the containers, which was not designed to be locked,\nwas located on the fourth floor. This container held numerous medical records, which\nincluded names, addresses, SSNs, dates of birth, and other medical information that\ncould be considered very private information.\n\x0cWe observed 17 lockable containers on the twelfth floor of the RRB building that were\nnot being used.\n\nIt also appears that RRB employees are discarding documents with SSNs in the\ntrashcans in their work areas. Documents containing SSNs were found in trash bags in\nthe lobbies next to the freight elevators. These documents were discovered on three\ndifferent floors of the building (2nd , 6th, and 11th floor). Cleaning personnel collect trash\nfrom individual trashcans in the working areas and place it in trash bags, which are put\nnext to the freight elevator for later transportation to the loading dock.\n\nThe Privacy Act of 1974 states that the Congress finds the privacy of an individual is\ndirectly affected by the collection, maintenance, use, and dissemination of personal\ninformation by Federal agencies. The purpose of the Act is to provide certain\nsafeguards for an individual against an invasion of personal privacy by requiring Federal\nagencies, except as otherwise provided by law, to, among other things, disseminate any\nrecord of identifiable personal information in a manner that assures that such action is\nfor a necessary and lawful purpose and that adequate safeguards are provided to\nprevent misuse of such information.\n\nIndividuals allowed access to the RRB building for a variety of reasons have access to\nthe unsecured documents and trash containing SSNs and other sensitive data. This\ndata could be used for identity theft. The misuse of the SSN has quickly become a\nnational dilemma. The universal use of the SSN has given it a lot of power. The\npowers to engage in financial transactions, obtain personal information, and create or\ncommandeer identities make it a valuable asset and one that is subject to limitless\nabuse. For example, the SSA/OIG received 46,840 allegations of SSN misuse in fiscal\nyear 2000 and has also reported instances of SSN misuse by SSA employees.\n\nIn addition to the above documents, the RRB discarded a number of plastic cards used\nto produce building identification (ID) cards. These cards were in a box on the floor of\nthe 12th floor where the RRB had recently issued new building ID cards. On one side,\nthese cards were very similar in appearance to the ID cards issued to RRB employees.\nThe first line on this side of the cards contained the words \xe2\x80\x9cTemporary Building\nAdmittance\xe2\x80\x9d in red print. The other side of the cards contained the words \xe2\x80\x9cU.S. Railroad\nRetirement Board\xe2\x80\x9d and \xe2\x80\x9cGroundhog Job Shadow Day\xe2\x80\x9d along with a small picture of two\ngroundhogs. Some of the cards were imprinted with individual names. An individual\ncould cover the words \xe2\x80\x9cGroundhog Job Shadow Day\xe2\x80\x9d and the picture of the two\ngroundhogs with a picture of themselves. The ID card would then be very similar to the\nemployee ID cards and an unauthorized individual would have a good chance of gaining\nentry to the RRB building. These ID cards could be picked up by RRB employees,\ncleaning personnel, and employees of contractors working in the building.\n\x0cRecommendations\n\nThe OIG recommends that the Senior Executive Officer:\n\n\xe2\x80\xa2\t take steps to ensure that RRB employees protect SSNs and other sensitive data\n   against unauthorized disclosures (Recommendation No. 1);\n\n\xe2\x80\xa2\t take immediate steps to secure documents in the elevator lobbies that contain\n   names, SSNs and other sensitive information (Recommendation No. 2);\n\n\xe2\x80\xa2\t take steps to ensure that locked containers are available on each floor of the\n   building for disposition of documents containing sensitive data (Recommendation\n   No. 3); and\n\n\xe2\x80\xa2\t take steps to appropriately secure or properly discard the ID cards located on the\n   12th floor (Recommendation No. 4).\n\nManagement\xe2\x80\x99s Response\n\nThe Senior Executive Officer concurred with recommendations #1, #3, and #4, but did\nnot fully agree with recommendation #2. The Senior Executive Office did not agree that\nthe practice of temporarily storing claim files in centrally located bins constitutes an\nunwarranted security risk. However, the Senior Executive Officer will consider\nalternative methods of storage in an effort to enhance security without adversely\naffecting workflows or significantly increasing costs.\n\nOIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nThe OIG recognizes the RRB\xe2\x80\x99s need to keep equipment and personnel costs low. The\nOIG is however concerned with the practice of leaving claim folders and other\ndocuments in the elevator lobbies unsupervised for extended periods of time or\novernight. In considering alternative methods of storing the documents being sent to\nthe Federal Records Center or other RRB locations, the RRB should pursue the\npossibility of storing the documents within the RRB work areas or other secured areas\nrather than in the elevator lobbies. RRB employees would then be better able to\nobserve and supervise the documents during working hours and able to secure them\nafter working hours. This small change in location should not adversely affect workflow\nor significantly increase costs.\n\x0c'